General
-
Target
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe
-
Size
2.0MB
-
Sample
240901-bxfagsxdrg
-
MD5
b5de23814a83134fca7ce2dbc450af36
-
SHA1
b5592ad63cbc1706a66dbf7d4c9d833572ab1ecc
-
SHA256
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
-
SHA512
775b910fa2918ff3a49d75beb93b51a2f09ab7cf679dab6b1046b261962b2e35d0b326bea528d195fde52259ff1692b46659b9a64cc930e5f097d4abe5752c87
-
SSDEEP
49152:MnOpOCv0Z29PyAey5pV/ohTXY2H2mS5auQi0dGf1ecKxClrpHZ:tON+v5p2TXvWfUeEIR
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1276901959336595519/rnT2bUPlA6cH1e0gUJyRqEX6pBDNwefr13SwZvDBO14mTuQ8UwQDE9Xp0Hqk7Lk4A6UI
Extracted
xworm
21.ip.gl.ply.gg:29567
-
Install_directory
%Temp%
-
install_file
runtimebroken.exe
Targets
-
-
Target
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35.exe
-
Size
2.0MB
-
MD5
b5de23814a83134fca7ce2dbc450af36
-
SHA1
b5592ad63cbc1706a66dbf7d4c9d833572ab1ecc
-
SHA256
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
-
SHA512
775b910fa2918ff3a49d75beb93b51a2f09ab7cf679dab6b1046b261962b2e35d0b326bea528d195fde52259ff1692b46659b9a64cc930e5f097d4abe5752c87
-
SSDEEP
49152:MnOpOCv0Z29PyAey5pV/ohTXY2H2mS5auQi0dGf1ecKxClrpHZ:tON+v5p2TXvWfUeEIR
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload
-
Detect Xworm Payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1